Most PDF exploits work in a very well-defined, boring way. Somebody discovers how to make Adobe Reader run a JavaScript program in a way that bypasses the usual safeguards. In this particular case, the trickster put together a TrueType font that caused Adobe Reader to go nuts. TrueType fonts have data stored in a specific way, and by sticking more data in a field than it's supposed to have, Reader can be tricked into running a program hidden away inside the PDF file. That, combined with an auto-executing JavaScript program that varies depending on the version of Reader being used, put the exploit in motion.

Up to this point, the exploit's a clever buffer overflow dancer -- well designed but not particularly interesting. Now here's the scary part.

Whoever put this zero-day together figured out a way to bypass Windows 7's vaunted ASLR (Address Space Layout Randomization) and DEP (Data Execution Protection) lock-down technologies. I talked about ASLR and DEP in my July 6 blog, "Big-name Windows apps neglect security." The author of this particular zero-day used a technique called ROP, or Return Oriented Programming, to allow the malware to thumb its nose at Windows 7's two big new security measures.The Metasploit blog has details.

ROP relies on finding and running snippets of code in parts of Windows that haven't been locked down. The gist of it: If a programmer can run tiny pieces of code to do its dirty deeds, and the tiny pieces appear just before a Return instruction, the malware can stay in control. Peter Van Eeckhoutte has a detailed, working introduction to ROP in his Exploit Writing Tutorial Part 10: Chaining DEP with ROP - the Rubik's [TM] Cube.